ITFA Data Protection Policy

1. Introduction

The purpose of this policy is to set out the approach of the International Trade & Forfaiting Association (the “Association”) to the protection of Personal Data.

This policy applies to all consultants, contractors and temporary personnel engaged by the Association, including any other parties that may obtain, use, create or maintain Association data.

2. Context

2.1 Scope

The Association collects and uses Personal Data about its members and other individuals who come in contact with it (referred to as Data Subjects), in the execution of its business activities. In collecting and using Personal Data, the Association is committed to respecting the rights of these Data Subjects in relation to the processing of their Personal Data, and to complying with all applicable laws and regulations.

This Policy relates to the Associations activities when it is acting as a Data Controller or as a Data Processor as defined in the EU General Data Protection Regulation or local equivalent legislation.

This policy supplements any other policies of the Association relating to information security and data retention.

The Association may supplement and amend this policy by additional policies and guidelines from time to time.

2.2 Applicable rules, laws and regulations

The Association is subject to the rules, regulation and laws of a number of jurisdictions, including, but not limited to:

EU Directive 2002/58/ EC.

Local Swiss legislation relating to data protection

EU GDPR 2016/679

3 Obligations and Requirements

3.1 Responsibility

The policy of the Association is to process Personal Data in accordance with the applicable data protection laws and regulations, to protect the rights and freedoms of an individual.

3.2 Principles

The Association will observe the following principles in respect of the processing of Personal Data:

Process Personal Data fairly and lawfully in line with the individuals’ rights;

Ensure that the reasons for processing Personal Data are adequate, relevant and not excessive for that purpose;

Ensure that Personal Data is kept up to date where necessary;

Ensure that Personal Data is kept only for as long as it is needed;

Ensure that Personal Data is protected from loss or misuse

Ensure that Personal Data is adequately protected when transferred across national borders and/or shared with 3rd parties.

3.3 Fair and Lawful Processing

The Association will process Personal Data fairly and lawfully and will do so in the following circumstances:

The processing is necessary to satisfy a legal obligation of the Association;

The processing is in the legitimate interests of the Association and does not unduly prejudice the privacy of an individual;

Processing is necessary to fulfil the requirements of a contract with a Data Subject;

The Data Subject in question has consented to the processing of their Personal Data. Where consent is considered the lawful purpose please refer to PD-Operations Planning.

3.4 Purpose of Processing

In broad terms the Association will collect and process personal data for the following purposes:

To meet its legal obligations.

To satisfy the legitimate interests of the Association in meeting its objectives and to provide sound governance and operational controls.

To satisfy our members’ legitimate interests.

To meet the contractual obligations of the Association.

Data subject’s rights are protected by law. A data subject may request erasure, object or otherwise make representations to the Association which the Association will act on in accordance with its legal obligations.

3.5 Accuracy, adequacy, relevance and proportionality

Personal Data must be processed in a way which is accurate, adequate, relevant and proportionate for the purpose for which it was obtained.

Personal Data obtained for one reason may not be used for any other purpose not directly connected to the original reason for its collection and processing (unless the individual in question has explicitly agreed to this additional processing, or, would otherwise reasonably expect that their data may be used in this way).

We must ensure that Personal Data held by the Association is accurate and updated as required. If the Personal Data or circumstances of an individual change, this merits at least a review of the Personal Data held by the Association.

All proposed changes to the processing of Personal Data will be considered so as to ensure that the proposed processing changes do not expose the Association to non-compliance or possible data breach risks.

3.6 Data retention

Personal Data must not be retained for any longer than is necessary to satisfy the fair and lawful reason for processing it.

3.7 Classification, Handling & Data Breach Reporting

The Association will classify and handle Personal Data in a manner which is consistent with this policy and all applicable law. It will investigate any breach of its obligations and take appropriate remedial actions; and make any applicable notifications.

3.8 Special Data Categories

Sensitive Personal Data is data of the following types; racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Processing of such data is subject to specific provisions. The lawful purpose for the Association in processing such data can only be where the Association is under a specific legal obligation to process such data in exercising specific rights in relation to employment and social security and social protection law.

3.9 Transfers

Personal Data can only be transferred in appropriate circumstances.

The Association may choose to utilize the services of a Data Processor and where it does so it must ensure suitable steps are taken to protect the Personal Data it has collected as a Controller. A controller remains responsible for all aspects of the data collected on its behalf.

3.10 Rights of individuals

Data Subjects are entitled (subject to certain exceptions) to request access to information about them which is held by the Association.